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Abstract 

A natural way for cooperative tasking in multi-agent systems is through a top-down design by 
decomposing a global task into subtasks for each individual agent such that the accomplishments of 
these subtasks will guarantee the achievement of the global task. In our previous works |[T|, ||2l, we 
presented necessary and sufficient conditions on the decomposability of a global task automaton between 
cooperative agents. As a follow-up work, this paper deals with the robustness issues of the proposed top- 
down design approach with respect to event failures in the multi-agent systems. The main concern under 
event failure is whether a previously decomposable task can still be achieved collectively by the agents, 
and if not, we would like to investigate that under what conditions the global task could be robustly 
accomplished. This is actually the fault-tolerance issue of the top-down design, and the results provide 
designers with hints on which events are fragile with respect to failures, and whether redundancies are 
needed. The main objective of this paper is to identify necessary and sufficient conditions on failed 
events under which a decomposable global task can still be achieved successfully. For such a purpose, 
a notion called passivity is introduced to characterize the type of event failures. The passivity is found 
to reflect the redundancy of communication links over shared events, based on which necessary and 
sufficient conditions for the reliability of cooperative tasking under event failures are derived, followed 
by illustrative examples and remarks for the derived conditions. 
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I. Introduction 

Multi-agent system has emerged as a hot research area with strong support from a wide 
range of applications such as power grids, transportation networks, ubiquitous computation, and 
multi-robot systems [[3l, BH, [[51 . The significance of multi-agent systems roots in the power of 
parallelism and cooperation between simple components that lead to sophisticated capabilities 
and more robustness and functionalities than individual multi-skilled agents [[6l, [|71, [ISl- One 
of the key problems in multi-agent systems is top-down cooperative tasking, through which a 
global task is decomposed into subtasks for each individual agent such that the accomplishments 
of these subtasks will guarantee the achievement of the global task. 

For such a purpose, in our previous work [[IJ a top-down design approach for multi-agent 
cooperative tasking was proposed for two agents and then generalized in [[21 into an arbitrary 
finite number of agents. As the main contribution, [[11, [[3 identified necessary and sufficient 
conditions under which a deterministic task automaton is decomposable with respect to parallel 
composition and natural projections into local event sets, namely, the task automaton is bisimilar 
to the parallel composition of its natural projections. Moreover, it has been shown that if the 
task automaton is decomposable and local supervisors are designed to satisfy local specification 
automata, then the entire closed loop system satisfies the original global specification. It is worth 
noting here that the determinism of global task automaton does not reduce its decomposability in 
the sense of bisimulation into its decomposability in the sense of language equivalence [O, nor 
into separability of its language 00l> since in general local task automata obtained by natural 
projection could be nondeterministic, in general (see Example [9] in the Appendix). 

Once a multi-agent system is designed, its safety becomes a crucial property across the agents 
in order to prevent the uncompensable consequences for the system and users. Failures on the 
other hand are usually unavoidable due to the large scale nature and complex interactions among 
the distributed agents. It is therefore very important to introduce some degree of redundancy into 
the design so as to achieve fault-tolerance. Towards this end, this paper represents a continuation 
of the works in [[11, [[3, and deals with the robustness issues of the proposed top-down design 
approach with respect to event failures in the multi-agent systems. The main concern under failure 
is whether a previously decomposable task still can be achieved collectively by the agents. Please 
note that no global information on failures is assumed, and each agent is only aware of failures 



around itself and just trying to accomplish its previously assigned subtask (assume that the global 
task is decomposable before failures, and subtasks are obtained, accordingly). An interesting 
question is whether these agents can achieve the original global task in spite of event failures. If 
not, we would like to ask under what conditions the global task could be robustly accomplished. 
This is actually the fault-tolerance issue of the top-down design, and the results provide designers 
hints on which events are fragile with respect to failures, and whether redundancies are needed 
for sharing of some events. It is desired to share as few number of events as possible through 
the communication links to reduce the bandwidth, and hence, the cost of the design. The main 
objective of this paper is to identify necessary and sufficient conditions on failed events under 
which a decomposable global task can still be achieved successfully between cooperative agents. 

This work differs from diagnosability and isolation problems [fTTTl whose interest is on detection 
and identification of the type of faults. In this work the faults are known and the question is 
the tolerance of systems in spite of the faults. It also differs from reliable supervisory control 
lfT2l . [fT3l that seeks the minimal number of supervisors required for correct functionality of the 
supervised systems. Another different problem is robust supervisory control [HH that considers 
the plant as a set of possible plants and designs supervisor applicable for the whole range of 
plants. 

This work is related to the fault-tolerant supervisory control that has been widely studied in the 
context of discrete event systems. For examples, ifTSl proposed switching to another supervisor 
after fault detection. In another work, [|T6ll . the author proposed to re-synthesis the supervisor 
upon the fault occurrence. A framework for fault-tolerant supervisory control has been proposed 
in ifTTll and further explored in [18] by enforcing given specifications for non-faulty and faulty 
parts of the plant to ensure that the plant recovers from any fault within a bounded delay, such 
that the recovered plant is equivalent to the non-faulty plant. In [fT9ll a fault is modeled as an 
uncontrollable event, that its occurrence causes a faulty behavior. They provided a necessary 
and sufficient condition for the existence of supervisor under failures, based on controllability, 
observability and relative-closure, together with the notions of state-stability [|20ll . [|2T1l . and 
language-stability |[22l, f23\ . In [[24|. a fault recovery result has been proposed by introducing 
normal, transient and recovery modes, such that the language of the closed loop systems is equal 
to a given language of the normal mode. Most of these works however address the language 
specifications and deal with decentralized supervisory control with distributed supervisor and 



monolithic plant. 

In this paper, continuing the works in [HI, [l2]|, it is firstly observed that a necessary condition 
for preserving the decompos ability is that the failed events can only be shared events and could be 
those that are only received from the other agents or sent to others, redundantly. In other words, 
a necessary condition for failed events is that they are not produced by the sensors/actuators of 
the corresponding agent, and that the failed events are not sent to other agents, unless there exist 
some alternative agents to relay them. We will call these events as passive events in the agent. 
Passive events indeed refer to the shared events through redundant communication links. Based 
on this notation, it seems that the failure of passive events have no effect on decomposability, 
as they do not fail in the sender agents and the receiver is just no longer informed about 
those events. However, it will be shown that although passivity of failure events is a necessary 
condition for preserving the decomposability, some additional conditions are required for the task 
automaton to remain decomposable. The intuitive reason is that when a shared event fails, the 
corresponding agent can no longer use its information as a part of decision making on the order 
or switch between transitions. Moreover, the failure should satisfy some criteria to ensure that 
after the failures, the parallel composition of local automata neither generates a new string that 
is not allowed in the global automaton, nor prevents a string that is allowed in the global task 
automaton. In particular, while the passivity of failed events is a necessary condition to preserve 
the decomposability, it is shown that for a deterministic task automaton that experiences failures 
on passive events, the task automaton remains decomposable if and only if any required decisions 
on order/switch between any pair of events can be accomplished by at least one of the agents 
after failure; no illegal string is allowed and no legal string is prevented by the composition 
of local task automata, after the failure. This work generalizes the preliminary work on task 
decomposition under failure in [1251 . from two agents into an arbitrary finite number of agents, 
providing the proofs and illustrative examples. It furthermore shows that under the passivity of 
failed events together with the proposed conditions, a previously achieved task automaton can 
be still achieved by the team of agents. 

The rest of the paper is organized as follows. Section HI] provides preliminary lemmas, no- 
tations, definitions and recalls the necessary and sufficient conditions on decomposition of an 
automaton with respect to parallel composition and local event sets. The fault-tolerant task de- 
composability and multi-tasking problems are formulated in Section Hill Sections HVl presents the 



main result on decompos ability under event failures and introduces the necessary and sufficient 
conditions under which a decomposable task automaton remains decomposable in spite of event 
failures, followed by illustrative examples for each condition. Next, it is shown in Sections |V] 
that under passivity and the proposed conditions, if a previously decomposable task automaton 
has been achieved globally by local controllers, it will remain satisfied, in spite of event failures. 
As a special case. Section |VI] provides more insight on global decision making on selections 
and orders of transitions, in a two-agent case. Finally, the paper concludes with remarks and 
discussions in Section IVIII The proofs of lemmas are given in the Appendix. 

II. Preliminaries 

The proposed top-down approach in |[T|, |l2l investigated the deterministic global task au- 
tomata and introduced necessary and sufficient conditions under which the task automaton is 
decomposable with respect to parallel composition and natural projections into local event sets, 
such that the parallel composition of local task automata bisimulates the global task automaton. 
It was also shown that fulfilment of local task automata, leads to satisfaction (in the sense of 
bisimulation) of the global task automaton. We then first recall the definition of an automaton 

m. 

Definition 1: (Automaton) A deterministic automaton is a tuple A := {Q,qQ, E,S) consisting 
of a set of states Q; an initial state qo E Q; a set of events E that causes transitions between 
the states, and a transition relation 5 C Q x E x Q, with partial map 6 : Q x E Q, such 
that (g, e, q') G 5 if and only if state q is transited to state q' by event e, denoted by q A- q' 
(or 5{q,e) = q'). A nondeterministic automaton is a tuple A := (Q, qo, E, 5) with a partial 
transition map S : Q x E ^ 2^, and if hidden transitions (er-moves) are also possible, then 
a nondeterministic automaton with hidden moves is defined as A := (Q^qo^EU {£},S) with 
a partial map 5 : Q x (E U {e}) — )■ 2^. For a nondeterministic automaton the initial state 
can be generally from a set Qo C Q. Given a nondeterministic automaton A, with hidden 
moves, the ^-closure of q e Q, denoted by £\{q) C Q, is recursively defined as: q E £*A{q)', 
q' E £*Ai9) ^ ^ ^) — The transition relation can be extended to a finite string of events, 

s E E*, where E* stands for Kleene — Closure of E (the set of all finite strings over elements 
of E). For an automaton without hidden moves, e\{q) = {q}, and the transition on string is 
inductively defined as 5{q, e) = q (empty move or silent transition), and 5{q, se) = 5{5{q, s), e) 



for s E E* and e G E. For an automaton A, with hidden moves, the extension of transition 



The operator Ac{.) ETll is then defined by excluding the states and their attached transitions 
that are not reachable from the initial state as Ac{A) = (Qac, %i E, 5ac) with Qac = {q E Q\3s E 
E*, q E 5{qo, s)} and Sac = S\Qac x — > Qac, restricting S to the smaller domain of Qac- Since 
Ac{.) has no effect on the behavior of the automaton, from now on we take A = Ac{A). 

We focus on deterministic global task automata that are simpler to be characterized, and cover 
a wide class of specifications. The qualitative behavior of a deterministic system is described by 
the set of all possible sequences of events starting from the initial state. Each such a sequence is 
called a string, and the collection of strings represents the language generated by the automaton, 
denoted by L(A). The existence of a transition over a string s E E* from a state q E Q is 
denoted by s)l. Considering a language L, by 5{q, L)\ we mean that E L : 6{q, u)l. 
To compare the task automaton and its decomposed automata, we use the bisimulation relations 



Definition 2: (Simulation and Bisimulation) Consider two automata Ai = {Qi, gf, E, 6i), i = 
1, 2. A relation R C Q^ x Q2 is said to be a simulation relation from Ai to A2 if (g^, Q2) ^ 
and V (gi, ga) e R, Si{qi, e) = q[, then 3g^ E Q2 such that 52(^2, e) = gg, {q'l, ga) e R. 

If R is defined for all states and all events in Ai, then Ai is said to be similar to A2 (or A2 
simulates Ai), denoted by Ai -< A2 [27]. 

If Ai -< A2, A2 -< Ai, with a symmetric relation, then Ai and A2 are said to be bisimilar 
(bisimulate each other), denoted by Ai = A2 [28]. In general, bisimilarity implies languages 
equivalence but the converse does not necessarily hold [29]. 

In these works natural projection is used to obtain local tasks, since each agent has limited 
degree of sensing and actuation and hence it is provided with local information and functionali- 
ties: those events inside its local event set. Each agent may share some events with its neighbors 
to facilitate the cooperative control, using interactions between the connected agents. Natural 
projection is defined formally as follows. 

Definition 3: (Natural Projection on String) Consider a global event set E and its local event 

n 

sets Ei, i = 1, 2, n, with E = U Ei. Then, the natural projection pi : E* E* is inductively 
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mi. 



defined as Pi{e) = e, and Ws e E*,e e E : Pi{se) = < 

I Pi{s) otherwise. 

Accordingly, inverse natural projection p^^ : E* — )■ 2^* is defined on an string t G E* as 
p-\t) := {seE*\p,is)=t}. 

The natural projection is also defined on automata as : A ^ A, where, A is the set of 
finite automata and Pi{As) are obtained from Ashy replacing its events that belong to E\Ei by 
e-moves, and then, merging the e-related states, forming equivalent classes defined as follows. 

Definition 4: (Equivalent class of states, |[30l ) Consider an automaton As = {Q, qo, E, 5) and 
a local event set Ei C E. Then, the relation is the equivalence relation on the set Q of 
states such that 5{q,e) = q' A e ^ Ei ^ q r^Ei q', and [g]^;- denotes the equivalence class of q 
defined on In this case, q and q' are said to be e-related. The set of equivalent classes of 
states over is denoted by Q/^^ and defined as Q/^^ = {[q'IbJq' ^ Q}- 

The natural projection is then formally defined on an automaton as follows. 

Definition 5: (Natural Projection on Automaton) Consider an automaton As = {Q, qo, E, S) 
and a local event set Ei C E. Then, Pi{As) = {Qi = Q/^j,^,[qo]E,, Ei,6i), with 5i([g]E,,e) = 
[q']Ei if there exist states qi and q[ such that qi r^Ei q, q'l q' , and 5(gi,e) = q[. 

To investigate the interactions of transitions between automata, particularly between Pi{As), 
2 = 1, . . . , n, the synchronized product of languages is defined as follows. 

Definition 6: (Synchronized product of languages ifTOl ) Consider a global event set E and 

n 

local event sets Ei, i = 1, . . . ,n, such that E = U Ei. For a finite set of languages {Li C 

i=l 

n 

the synchronized product (language product) of {L^}, denoted by | Lj, is defined as 

i=l 

" n 

\ Li = {se E*\ii e {l,...,n} -.piis) G L,} = Hp^^Li). 
i=i »=i 

Then, capturing the interactions of agents, parallel composition (synchronized product) is 

used for two purposes: first to define the decomposition (as the parallel composition of local 

tasks should be equivalent to the original task), and second, to define the top-down cooperative 

control, such that the parallel composition local closed loop systems be equivalent to the global 

specification. 

The parallel composition (synchronous product) is a way of modeling of interactions between 
agents as it allows local agents to transit on their own private events and restricts them to 
synchronize on the shared events, those events that are required for cooperation on common 



with S defined as V(gi, 52) & Q,e e E: 5{{qi, 52), e) 



(5i(gi,e),52(g2,e)) , if 



actions or decision makings on orders or selections between events. 

Definition 7: (Parallel Composition) 
Let Ai = {Qi,q'^,Ei,Si), i = 1, 2 be automata. The parallel composition (synchronous compo- 
sition) of Ai and A2 is the automaton v4i||A2 = {Q = Qi y< Q2, % = ^'2); = -^1 U -^2, S), 

'5i(gi,e)!, 52(^2, e)! 
e e -El n ^2 

e), ^2) , if Si{qi, e)!, e G ^i\^2; 

(91, '^2('?2, e)) , if (52(g2, e)!, e e ^2\^i; 

undefined, otherwise. 
The parallel composition of A^, i = 1,2, n is called parallel distributed system (or concur- 
rent system), and is defined based on the associativity property of parallel composition [|27l as 

n 

II Ai = Ai II ... II An = An II {An-l || (■ " " || (^2 || Ai))) . 
i=l 

The set of labels of local event sets containing an event e is called the set of locations of e, 
denoted by loc{e) and is defined as loc{e) = {i G {1, . . . ,n}\e G Ei}. 

In this sense, the decomposability of an automaton with respect to parallel composition and 
natural projections is defined as follows. 

Definition 8: (Automaton decomposability) A task automaton As with the event set E and 

n 

local event sets Ei, i = I, ...,n, E = U Ei, is said to be decomposable with respect to parallel 

i=l 
n 

composition and natural projections if || Pi (As) = As. 

1=1 

In general, the task automaton can be nondeterministic. Decomposition of nondeterministic 
automaton however is very difficult to be characterized, due to interleaving of nondeterministic 
transitions between local task automata. For deterministic case, necessary and sufficient condi- 
tions for the decomposability of a deterministic task automaton As were proposed in fH with 
respect to two cooperative agents and then generalized into an arbitrary finite number of agents, 
as follows. 

Lemma 1: (Corollary 1 in |l2l): A deterministic automaton As = ^^,qo,E = |J Ei,5^ is 
decomposable with respect to parallel composition and natural projections Pj, i = 1, ...,n such 

n 

that As = 1 1 Pj (As) if and only if As satisfies the following decomposability conditions (DC): 

1=1 

. DCl: Vei, 62 G g G Q: [(5(g, d)! A (5(g, 62)!] 

[3E, G {El, ■ ■ ■ , En}, {ei, 62} C Ei] V [S{q, 6162)! A 5{q, 6261)!]; 
. DC2: Wei, 62 e E,q e Q, s e E*: [6{q, 6162^)! V 6{q, 62615)!] 



^ e {El, ■■■ , En}, {ei, 62} C Ei] V [S{q, CiCss)! A S{q, CaCis)!]; 

n _ 

. DCS: 6{qo, I Pi(si))!, V{si, ■ ■ ■ , s„} G L(v4s), 3sj, G {si, ■ ■ ■ 7^ s^, where, 

i=l 

L (As) C L (^5) is the largest subset of L (As) such that Vs e L (As) ,3s' e L (As) , BEi, Ej e 
{El, Err} , i 7^ hPE^nEj (s) and Pe^he^ {s') start with the same event, and 
• DCA: Vi G {1, n}, x, Xi,X2 G Qj, Xi 7^ X2, e G -Ej, t G E*, 5i{x, e) = Xi, 6i{x, e) = X2: 
5i{xi,t)\ ^ 6i{x2,t)\. 

Intuitively, the decomposability condition DCl means that for any decision on selection 
between two transitions there should exist at least one agent that is capable of the decision 
making, or the decision should not be important (both permutations in any order be legal). 
DC2 says that for any decision on the order of two successive events before any string, either 
there should exist at least one agent capable of such decision making, or the decision should 
not be important, i.e., any order would be legal for occurrence of that string. The condition 
DC3 means that the interleaving of strings from local task automata that synchronize on the 
same first appearing shared event, should not allow a string that is not allowed in the original 
task automaton. In other words, DCS is to ensure that an illegal behavior (an string that 

n 

does not appear in As) is not allowed by the team (does not appear in || Pi (As)). In this 

i=l 

n 

condition, | Pi{si) is a language and stands for the interleaving or language product [[TOl of 

1=1 

Strings Pi{s.j), defined as | pj(sj) = fl {pi{si)). The last condition, DCA, deals with the 

i=i '=1 

possible nondeterminisms in Pi {As) (Please note that here. As is considered to be deterministic, 
while Pi {As) can be nondeterministic, as it will be explained in Example (8]). DCA ensures the 
determinism of bisimulation quotient of local task automata, in order to guarantee the symmetry 

n 

of simulation relations between As and || Pi {As). By providing this symmetry property, DCA 

i=l 

guarantees that a legal behavior (an string in As) is not disabled by the team (appears in 

li p^ {As)y 

1=1 

In [|2l it was also shown that for a decomposable task automaton, if local controllers exist 
such that each local closed loop system (parallel composition of local plant and local controller 
automata) satisfies its local task (bisimulates the corresponding local task automaton), then the 
controlled team of the agents will satisfy the global specification, as it is stated in the following 
lemma. 

Lemma 2: (Theorem 2 in [2J): Consider a plant, represented by a parallel distributed system 



n 

II Ap., with given local event sets Ei, i = 1, ...,n, and let the global specification is given by 

n 

a deterministic task automaton As, with E = U E^. If DCl-DCA are satisfied, then designing 

i=l 

local controllers Ac^, so that Ac^ \\ Ap- = Pi(As), i = I, ■ ■ ■ ,n, derives the global closed loop 

n 

system to satisfy the global specification As, i.e., || {A^ \\ Ap-) = As. 

i=l 

Remark 1: It is known that bisimulation implies language equivalence and that bisimulation 
of deterministic automata is reduced to their language equivalence. Now, one question is that 
whether for a deterministic task automaton its decomposability in the sense of bisimulation 
(stated in Lemma [B is reduced to its decomposability in the sense of language equivalence 

n n 

(L{As) = L{ II Pi {As))) or its language separability {L{As) = \ L{Pi {As))). Furthermore, 

i=l i=l 

it is interesting to know whether the proposed top-down cooperative control, in Lemma [21 is 
reduced into a top-down approach in the sense of language equivalence. As it is illustrated in 
the Appendix, although in general, decomposability in the sense of bisimulation implies the 
decomposability in the sense of language equivalence, the reverse is not always true, in spite of 
determinism of automaton. For the top-down cooperative control, on the other hand, under the 
proposed decomposability conditions, the bisimulation-based approach is reduced to the language 
equivalence one, as the deterministic task automaton can be represented by its langauge. 

To elaborate these remarks, we first highlight that the natural projection may impose emerging 
properties that do not exist in the original automaton. For example, local task automata may have 
some new strings that do not appear in the original automaton, i.e.. As does not necessarily 
simulates Pi {As). Moreover, local task automata may become nondeterministic, even if the 
original task automaton is deterministic. The decomposability of As, however, concerns with 

n 

bisimilarity of As and || Pi {As), that may hold even if Pi{As) As, or the local task automata 

i=l 

are nondeterministic for some agents, as it is shown through examples in the Appendix. 

III. Problem formulation 

In the previous section we recalled the conditions for task automaton decomposability to 
be used in top-down cooperative control. A natural follow-up question is that if after such 
decomposition, some of the events fail in some agents, then whether the global task automaton 
will still remain decomposable with respect to new set of events. And, if not, what are the 
conditions for preserving the decomposability. In order to address this problem, we first need 
to investigate the failure on events. In general, an event e can be either private (|Zoc(e)| = 1) or 



shared (|Zoc(e)| > 1). Failure of private events fails the decomposability as it causes the failure 
in the whole team of agents. Failure on a shared event, on the other hand, may or may not lead 

to a global failure, depending on whether the failed event is redundant or not. When an event is a 
sensor reading; or actuator command, or it is sent to other agents with no other alternative links, 
then the failure on this event stops its global evolutions. In the following, we will introduce a 
class of failures that are investigated in this paper. 

Definition 9: (Event failure) Consider an automaton A — {Q,qo,E,5). An event e e £■ is 
said to be failed in A (or E), if F{A) = Ps(^) = PE\e{A) = {Q, go, S - E\e, 5^), where, E, 
6^ and F{A) denote the post-failure event set, post-failure transition relation and post-failure 
automaton, respectively. A set C of events is then said to be failed in A, when for Ve e E, 
e is failed in A, i.e., F{A) = Ps(A) = Pe\e{A) = {Q, go, S = E\E, 5^). 

Considering a parallel distributed plant A:— \ \ Ai — [Z, zo, E — U Ei,5\\) with local agents 

i=i ^=1 

-^i — {Qi, Qo^EijSi), i — 1, . . . ,n. Failure of e in Ei is said to be passive in Ei (or Ai) with 

, n 

respect to || ^4,, if £^ = U Ej. An event whose failure in A^ is a passive failure is called a 

i=i '=1 
passive event in A^. 

The notion of passivity, can be interpreted as communication redundancy as it is stated as 
follows. 

Remark 2: To interpret the passivity more formally, let snde{i) and rcVe{i) respectively denote 
the set of labels that Ai sends e to those agents and the set of labels that Ai receives e from their 
agents, defined as snde{i) — {j e {1, ...,n}\Ai sends e to Aj} and rcve{i) — {j e {1, ...,n}\i e 
snde{j)}. Then, an event e is passive in Ai if reCe{i) 7^ (i.e., the i — th agent does not 
receive e from its own sensor/actuator readings, but from another agent), and VA-; G snde{i): 
3j e {!,••• ,n}\{i,k},k e snde{j) (i.e., if the i — th agent is a relay for transmission of 
e, for any receiver agent, there exist another agent to send e). In this set-up a passive failure 
excludes the failed event e from the corresponding local event set Ei while it makes its respective 
transitions hidden in F{Ai). Therefore, from definition of parallel composition, the transitions 

n 

on other agents can contribute to form the global transitions in 1 1 F{Ai), since only in this way 

i=l 

n 

there will be no synchronization constraint on the rest of agents in || F{Ai). 

i=l 

Moreover, the definition of passivity implies that the passivity of failed events is a necessary 
condition for evolution of global transitions after failures, as it is stated in the following lemma. 



Lemma 3: (Global transitions after local failures) Consider a parallel distributed plant A := 

n n 

\\ Ai = {Z, zq,E = U Ei, 6u) with local agents Ai = {Qi, q^, Ei, 6i), i = 1, . . . , n. If no global 

i=i »=i 

n n 

transitions in \\ Ai are disabled in || F{Ai) (i.e., \/zi,Z2 G Z,\/e E E, 5\\{zi,e) = Z2, then 

i=l 1=1 

5^(zi,e) = Z2), then all event failures are passive, i.e., the passivity of local event failures are 
necessary for preserving the global transitions. 

Proof: See the proof in the Appendix. ■ 

The problem of decomposability under event failures is now defined as follows. 

Problem 1: (Decomposability under event failures) Let a deterministic task automaton As = 

n 

{Q,qQ,E = U Ei,6) is decomposable with respect to parallel composition and natural pro- 

1=1 

jections Pj, i = l,...,n. Then, does the global task automaton As remain decomposable in 
spite of failure of events {ai^r}, r E {1, ...,ni} in local event sets Ei, i E {1, . . . ,n}l i.e., if 

n n 

As = II Pi{As), then does As = \\ F{Pi{As)) always hold true?, and if not, what are the 

i=l 1=1 

conditions for such decomposability? 

The next interesting question is the cooperative control under event failure, defined as 
Problem 2: (Cooperative tasking under event failure) Consider a concurrent plant Ap := 
II Ap. and a decomposable deterministic task automaton As = {Q,qo,E = U Ei,6) = 



i=l 



1=1 



Pi{As), and suppose that local controller automata Ac\, i = 1, . . . ,n exist such that each local 
closed loop system satisfies its corresponding local task, i.e., AcJIAp^ = Pi{As), i = 1, . . . ,n. 
Assume furthermore that Ei = {aj,r} fail in Ei, r E {l,...,ni}. Then, does the team still 
can fulfill the global task, in spite of failures, without redesigning the controller automata, i.e., 

n 

II F{Ap^\\AcJ = As"!, and if not, what are the conditions to preserve the satisfaction of the 

1=1 

global specification? 

These problems will be addressed in the following two sections. 

IV. Task Decomposability under event failures 

According to definition of passivity, for any local event set Ei, excludes any passive failed 
events e from Ei , while the effect of this failure on Pi{As) is defined as the projection of As 
into Ei\e (instead of Ei), leading to PE^\e{As). 

n 

In this set up evolution of global transitions in || F(Pj (^5)) relies on the passivity of failed 

1=1 

events, as it is expected and stated in Lemma |3l The reason is that due to definition of parallel 



composition, evolution of global transitions requires the failures to be passive, since passive 
failed events are excluded from the corresponding local event set and the local task automaton 
is projected to the rest of events. For non-passive failed events, on the other hand, since they 
are not received from other agents, and hence are not excluded from the local event set, but 
their transitions are stopped, then due to synchronization restriction in definition of parallel 
composition, the global transitions cannot evolve on them. 

Consequently, as highlighted in Lemma [3l passivity of failed events is a necessary condition 
for the task automaton to remain decomposable after the failure. 

Moreover, when all failed events are passive, due to definition of passivity. Problem [T] can 
be transformed into the standard decomposition problem to find the conditions under which 

n 

As = II Pe^\eS^s)- Accordingly, the conditions on the global task automaton to preserve the 

1=1 

decomposability under event failures, are reduced into their respective decomposability conditions 
in Lemma [H as the following lemmas. 

n 

Lemma 4: Consider a deterministic task automaton As = {Q,qo,E = U Ei,6). Assume 

i=l 

n _ 

that As is decomposable, i.e.. As = \\ Pi{As), and suppose that Ei = {air} fail in Ei, 

i=l 

r G {l,...,nj}, and Ei are passive for i G {l,...,n}. Then, following two expressions are 
equivalent: 

1) . EFl: Vei, es G g G Q: [6{q, d)! A 6{q, 62)!] 

[3Ei e{Eu..., K}, {ei, 62} C Ei\Ei] V [6{q, dcs)! A 6{q, esCi)!]; 
. EF2: Wei,e2 e E,q e Q, se E*: [6{q, CiCas)! V 6{q, eaCis)!] 

[3Ei G {^1, . . . , K}, {ei, 62} C Ei\Ei] V [5{q, e,e2s)\ A 5{q, esCis)!]. 

2) . DCIj:-. Vei, 62 G ^, g G Q: [6{q, d)! A 6{q, 62)!] 

[3S, G {Si, . . . , {ei, 62} C Si] V [6{q, 6162)! A S(q, 6261)!]; 
. DC2j:: Vci, 62 G g G Q, s G E*: [6{q, 6162^)! V 6{q, 62615)!] 
=^ [3Si G {Si, . . . , S„}, {61, 62} C Si] V [6{q, 6162s)! A 6{q, 6261s)!]. 
Proof: See the proof in the Appendix. ■ 
Lemma in gives the simplified versions of DCl and DC2 after event failures, with respect 
to refined local event sets. Adopting the same DCS for the refined local event sets, it remains 
to represent a simplified version of DCA for the local task automata, after event failures. This 
condition is stated in the following lemma. 



Lemma 5: Consider a deterministic task automaton As = {Q,qQ,E = U Ei,6). Assume 

i=l 

n _ 

that As is decomposable, i.e., As = \\ Pi{As), and suppose that Ei = {aj,.} fail in Ei, 
r G {l,...,nj}, and E^ are passive for i E {l,...,n}. Then, following two expressions are 
equivalent: 

. EFA: Vi G {1, . . . , n}, x, Xi, X2 G Qi, Xi 7^ X2, e G Ei\Ei, ti G E*, t G E*, Si{x, tie) = Xi, 

Si{x, e) = X2. t)! ^ 6i{x2, t)!. 
• DCAj^: Vi G {1, . . . , n}, X, Xi, X2 G Qi, Xi 7^ X2, e G Sj, t G S*, 5[ (x, e) = Xi, 5f (x, e) = 
X2: 5f (xi,t)! 5f (x2,t)!. Where, 6[ is the transition relation in F{Pi{As)). 
Proof: See the proof in the Appendix. ■ 
Remark 3: EE A is the counterpart of DC A after the event failures, that handle newly possible 
nondeterminism in the local task automata. Any nondeterminism that is propagated from the local 
task automata of before the failure, is treated by DC A when is decomposable. 

Now, combination of Lemmas [H |4l and [5] leads to the main result on decomposability under 
event failures as the following theorem. 

n 

Theorem 1: Consider a deterministic task automaton As = {Q,qo,E = U Ei,5). Assume 

i=l 

n _ 

that As is decomposable, i.e.. As = \\ Pi{As), and furthermore, assume that Ei = {0,,^} fail 

1=1 

in Ei, r G {1, ...,«,}, and Ei are passive for i E {1, . . . ,n}. Then, As remains decomposable, 

n 

in spite of event failures, i.e.. As = \\ F{Pi (As)) if and only if 
. EFl: Vei, 62 G g G Q: [6{q, ei)! A 6{q, 62)!] 

^ [3E, G {El, ■ ■ ■ , En}, {ei, 62} C E,\Ei] V 6163)! A 6261)!]; 
. EF2: ^61,62 E E,q E Q, sE E*: [5{q, CiCas)! V 5{q, 62615)!] 

^ [3E, G {El, ■ ■ ■ , En}, {61, 62} C Ei\Ei] V 6162s)! A 6261s)!]; 
. EF3: (5(go, | Pj(si))!, V{si, ■ ■ ■ ,s„} G (A5), 3sj, G {si, ■ ■ ■ ,s„},Sj 7^ Sj, where 

i=l 

L {As) C L {As) is the largest subset of L {As) such that Ms eL {As) ,3s' E L {As) , 3Si, G 
{Si, T,n} ,i ^ j,Ps,nEj (s) and pE.ns, (s') start with the same event, and 
« EFA: Vi G {1, . . . , n}, x, Xi, X2 G Qi, Xi ^ X2, e E Ei\Ei, ti E E*, t E E*, Si{x, tie) = Xi, 
6i{x,e) = X2. bi{xi,t)\ ^ bi{x2,t)\. 

Proof: First, according to Lemma [3l passivity of Ei is a necessary condition for preserving 
the decomposability. Now, providing the decomposability oi As and passivity of all failed events, 

n n n 

due to definition of passivity, it leads to || F{Pi{As)) = \\ Ps, {As) = \\ Pe,\e, {^s) that 

i=l 1=1 i=l 



based on Lemmas [H |4] and [51 it is bisimiar to if and only if EFl - EFA hold true for the 
refined local event sets {Si, . . . , ■ 
Remark 4: EFl-EFA are respectively the decompos ability conditions DCl-DCA, after event 
failures with respect to parallel composition and natural projections into refined local event sets 
Sj = Ei\Ei, i G {l,...,n}, provided the passivity of Ei, i E {l,...,n}. Condition EFl 
means that, after failure of some passive events, for any decision on selection between two 
transitions there should exist at least one agent that is capable of the decision making, or the 
decision should not be important (both permutations in any order be legal). EF2 says that, after 
failure of some passive events, for any decision on the order of two successive events before 
any string, either there should exist at least one agent capable of such decision making, or the 
decision should not be important, i.e., any order would be legal for occurrence of that string. The 
condition EF3 means that, after failure of some passive events, any interleaving of strings from 
local task automata that have the same first appearing shared event, should not allow a string 
that is not allowed in the original task automaton. In other words, EF3 is to ensure that, after 
failure of some passive events, an illegal behavior (an string that does not appear in As) is not 

n 

allowed by the team (does not appear in || F{Pi (As))). The last condition, EFA, ensures the 

1=1 

determinism of bisimulation quotient of local task automaton, in order to guarantee the symmetry 

n 

of simulation relations between As and || F(Pi{As)). By providing this symmetry property. 



1=1 



EFA guarantees that, after the failures, a legal behavior (a string in As) is not disabled by the 

n 

team (appears in || F{Pi{As)). 

i=l 

Following examples illustrate these conditions. 

Example 1: This example illustrates the notion of passivity and shows a decomposable au- 
tomaton that stays decomposable, when an even is failed passively in one of the local agents and 
EFl-EFA are satisfied. Consider the automaton As'. ^ • , • , . " . . with 



62 ^ « 



local event sets Ei = {ei, a} and E2 = {62, a}, E^ = {a} and communication pattern as {1, 2} G 
snda{3), and no other communication links. This automaton is decomposable, as the parallel 

ei a £2 a 

composition of Pi{As) = ^ • ^ • ^ • , P2{As) = ^ • ^ • ^ • and 



PsiAs) = . . ^ . is II P,{As) 

1=1 



^ « which is bisimilar to As. Now, assume that a fails in Ei. 



ei 



I -I 



Then EFl-EFA are satisfied (as 62610)! A 62061)!, and hance, EFl and EF2 hold 
true; after the failure, the interleavings on shared event a impose no illegal strings, and there- 
fore, EF?, is satisfied, and finally EE A is fulfilled since F{Pi{As)) = > • • , 

F{P2{As)) = . . ^ . ^ . and F{P:,{As)) 

= ^ • — ^ • are all deterministic), and hence, the parallel composition of F{Pi{As)) 

with El = {61}, F{P2{As)) with E2 = {62, a}, and F{P3{As)) with E3 = {a}, is \\ F{Pi{As)y. 

i=l 

" ; « that is bisimilar to ^45. However, if a was failed in E^, then it evolved 



£2 



ei 1 ei I ei I 

' e2 ' a ' 
• s- • s- • 

3 

in none of the local task automata and 1 1 F{Pi{As)) ^ As, since E3 is a source for a. Similarly, 

1=1 

failure of private events ei and 62 in Ei and E2, respectively, disables the global transitions on 
these events. As another example for non-passive failure, consider the communication pattern of 
1 e snda{S), {2, 3} C snda{l), while a fails in Ei, Then, the parallel composition of F{Pi{As)): 
^ • • with El = {61, a}, F{P2{As)) ^ ^ • ^ • with E2 = {62}, and 

F(Ps(As)) = 5> • — ^ • with S3 = {a} was ^ « ^ « . « which is not 



ei 62 

bisimilar to As. The reason is that in this case, in contrast to the fist case, a was not excluded 
from El, while a was stopped in F{Pi{As)). This, due to the synchronization constraint in 
parallel composition, disabled the global transitions on a. 

Example 2: This example shows a decomposable automaton that will no longer stay decom- 
posable after a passive event failure, since EFl is not satisfied, although other three conditions, 
EF2, EF3 and EFA, are fulfilled. Consider the automaton As: > , ° , , with local 

event sets Ei — {a}, E2 — {b}, and E^ — {a, b} with 3 e snda{l) and 3 e sndb{2), 
and no other sending and receiving links. This automaton is decomposable, as the parallel 

composition of ^1(^5): ^ . . , P2{As): ^ • : • and P^iAs) = As bisim- 

ulates ^4^. Now, suppose that a is failed in E^. Then, the parallel composition of F{Pi{As)): 
. . ^ . with El = {a}, F{P2{As)y. > • • with E2 = {b}, and F{Ps{As)y. 



1^ . with S3 = {b}, is II F{Pi{As)y. ^ • _^ • • which is not 



bisimilar to As. The reason is violation of EFl, as after the failure of a in E^, neither there 
exists an agent that knows both events a and b to decide on the selection between them, nor 
both permutations are legal in As. If As was ^45: ^ , ° , , , then, failure of a 



a 

s- • 



in E3 had no effect on decomposability of As. 

Example 3: This example shows a decomposable automaton that will no longer stay de- 
composable after a passive failure, as EF2 is not satisfied, although other three conditions, 

EFl, EF3 and EFA are fulfilled. Consider the automaton ^5: ^ , ° - , , , with 

local event sets Ei — {a}, E2 — {b} and E3 — {a,b}, with 3 e snda{l) and 3 e sndb{2) 
with no other sending and receiving links. This automaton is decomposable, as the parallel 

composition of Pi{As): ^ • " : • , ^2(^5): ^ • ^ : • and P3{As) = As bisim- 

ulates As. Now, suppose that a is failed in E^. Then, the parallel composition of F{Pi{As)): 
^ , with El = {a}, F{P2{As)y. > • • withE2 = {b}, and F{Ps{As)y. 



1^ , with E3 = {b}, is ll F{Pi{As)y. ^ , _^ , ^ , which is not 



• b 

bisimilar to ^45. The reason is violation of EF2, as after the failure of a in £'3, neither there 
exists an agent that knows both events a and b to decide on the order of them, nor both orders 

are legal in As- 

Example 4: This example illustrates a decomposable automaton that satisfies EFl, EF2 and 
EFA, but it will not remain decomposable after a passive event failure, due to violation of EF3. 
Consider the automaton ^15: 

^ , ° ^ , ^ , ^ ^ , with local event sets Ei — {a, b, c}, E2 — {b, c} and £'3 = 

b 

m s- • 

{a, 6} and communication pattern 1 e snd{;„c}(2), 1 £ snda{?>), 3 e sndb{2), with no other 
communication links, ^l^ is decomposable, as the parallel composition of Pi{As) = As, P2{As): 
^ • , • " , • , and PsiAs): ^ • ° , • ^ , « is bisimilar to As. Now, as- 



sume that 6 fails in £1. Then, the parallel composition of F(Pi(y4s)): ^ , ° ^ , -, , with 



El = {a, c}, F{P2{As)y. . , ^ , ^ , with E2 = {b, c} and F{P,{As)y. 



. ^ . . With E3 = {a, b} is II F{Pi{As)y. , ^ , , J. 

i=l 

b m 

c / c 

a 



c ^ ^ c 

• ■< — • • — 9- • 

that is no longer bisimilar to due to violation of EF3 as it contains strings acb and be that 
do not appear in As. 

Example 5: This example shows a decomposable automaton that does not remain decom- 
posable against a passive event failure, when it does not satisfy EFA, although it fulfils EFl, 
EF2 and EF3. Consider the automaton ^45: , ^ , « with local event sets 



El = {a,b,c}, E2 = {a,b} and E^ = (6, c}, with communication structure 1 G snd{a,b}{'^)-, 
1 e sndc{3), 3 e sndb{2), with no other communication links. This automaton is decompos- 
able, as the parallel composition of Pi(As) = As, P2(As): ^ • ^ « and Ps(As): 

^ ^ J « ° ^ « is bisimilar to As. Now, assume that b fails in E-i, then the par- 



allel composition of F{Pi{As)y. ^ . . with Ei = {a,c}, F(P2(^s)) 



c • ^ • 

• — ^ • with E2 = {a, b} and F{Pri{As)) = ^ • — ^ • — ^ • with E3 = 



{6,c} is II F(P,(As)): 



i=l 



that is no longer bisimilar to due to violation of EE A, as there does not exist a deterministic 
automaton P[{As) such that P[{As) = E{Pi{As)). 

V. Cooperative tasking under event failure 

So far, we have presented the necessary and sufficient conditions for a decomposable task 
automaton to remain decomposable in spite of passive failures. Now, assume that the global task 
automaton is decomposable and local controllers have been designed in such a way that local 



specifications are satisfied, and hence due to Lemma [21 the global specification is satisfied, by the 
team. Furthermore, assume that event failures occur on some shared events, but due to passivity 
of failed events and EFl-EFA, the global task automaton remains decomposable. Then, the 
next question is Problem [2] to understand whether, the team is still able to achieve the global 
specification. Following result answers this question. 

n 

Theorem 2: Consider a concurrent plant Ap := \\ Ap- and a deterministic task automaton 

i=l 

n 

As = {Q, (lo,E = U Ei, 6) as the global specification. Assume that As is decomposable, i.e., 

i=l 

n 

As = II Pi{As), and suppose that local controller automata A^, i = l,...,n have been 

i=l 

designed such that each local closed loop system satisfies its corresponding local task, i.e., 
Aci \\Ap- = Pi(As), i = 1, . . . ,n. Assume furthermore that Ei = {ai^r} fail in Ei, r G {1, nj}, 
Ei are passive for i G {1, . . . , n}, and As satisfies EFl-EFA. Then, the team can still achieve 

n 

its global specification, i.e., || F{Ap-\\Aci) = As- 

i=l 

Proof: Firstly, decomposability of As and Ac-||Ap. = Pi{As), i = 1., ■ ■ ■ ,n, due to Lemma 

n 

[21 implies that || (Ap-||A(7.) = As, i.e., the global specification is satisfied by the team. 
Moreover, the global specification remains satisfied, in spite of event failures, if Ei are passive 

n n 

for ie {l,...,n}, and As satisfies EFl-EFA, since || F{Ap^\\Ac^) ^ || Pe,\e, (^pJI^cJ = 

i=l ' ' i=l ' ' 

n n n 

II Pe^\e^ {Pr{As)) = II F{Pi{As)) = II Pi{As) = As. In this expression, the first and the 

i=l i=l i=l _ 

third bisimilarities come from passivity of Ei, i G {1, . . . ,n}, and the second bisimilarity is 
followed from yl(7j|v4p- = Pi{As), i = l,...,n, definition of natural projection and from the 
fact {Ai = Aa) A(A3 = A^) =^ {Ai \\ A3 = A2 \\ A^) (Lemma 6 in The fourth equivalence 
is implied from passivity of Ei, i = 1, . . . ,n and EFl-EFA, and finally, the last bisimilarity is 
due to the decomposability assumption of As- ■ 
Remark 5: The significance of Theorem [2] is that under passivity condition and EFl-EFA, 
although local task automata may change after the failure (i.e., F(Pi(As)) ^ Pi{As)), the team of 

n n n 

agents can satisfy the global specification, as || F{Ap^\\Ac,) = \\ F{Pi{As)) = \\ Pi{As) = 

1=1 i=l i=l 

As. 

Example 6: This example illustrates a specification for a team of three agents that is globally 

satisfied and remains satisfied in spite of passive event failures, provided EFl-EFA. Con- 

3 

sider a concurrent plant Ap := \\ Ap^ with local plants Ap^^: ^ « ^ « " ^ « with 



El = {a,ei}, Ap^: 

a b 



£2 a 



62 b 



62 a 



62 



with E2 = {0,6,62}, ^Pg: 



63 



with i?3 = {6,63}, having communication pattern 1 G senc/a(2), 



68 



3 G sendb(2), and no more communication links. Assume that the global specification is given 
as As: 

° ^ . is decomposable, since the parallel com- 



61 



62 



62 



61 



63 



63 



63 



63 



position of Pi (Ac 



, P2iA. 



62 



and PsiAs 



63 



is bisimilar to 



As. Now, taking local controller as Ac, := -Pil^s), i = 1,2,3 results in ApJI^c, = Pi{As), 
^ = 1,2,3 and || (ApJ|AcJ = 



i=l 

62 



62 



63 



that is bisimilar to As, i.e., global specification is sat- 



63 



t i^^2 i% ^^3 i 



61 



isfied by designing local controllers A^ to satisfy local satisfactions Pi{As). 

Now, suppose that a fails in Since a is passive in i?i and As satisfies EFl-EFA (since 
5(^0,61062663)! A 5(^0,^6162663)! in As, and hence EFl and EF2 are satisfied; Si = {61}, 
S2 = {0,6,62}, S3 = {6,63} with the only shared events 6 G S2 fl S3, and the corresponding 
interleaving between F{P2{As)) = ^2(^5) and F{Pi{As)) = P^iAs) is 062663 that appears in 
As, with all permutations with 61 from F{Pi{As)), and hence, EF3 is satisfied, and finally, EFA 
is fulfilled since F{Pi{As)), F{P2{As)) and F(P3{As)) are respectively bisimilar to automata 

61 a 62 6 6 63 

• • , ^ • ^ • ^ • ^ • and ^ • ^ • ^ • that all 

3 

are deterministic. Therefore, according to Theorem [TJ || F{Pi{As)) = As. 

i=l 



Moreover, since the failed event a is passive in Ei and As satisfies EFl-EFA, as Theorem 

3 3 

m the global specification remains satisfied after failure, as || F{Ap.\\Aci) = \\ F{Pi{As)) = 

i=l ' ' i=l 

5- • ^ • ^ • ^ • ^ • that IS bisimilar to As. 

• ^ • >- • *- • *- • 

VI. Special case: more insight into 2-agent case 

This part provides a closer look into the two agent case and illustrated the notion of global 
decision making after the event failures. 

First, following lemma presents some properties on a 2-agent system that experiences passive 
failures. The properties will be then used to provide a deeper insight on the global decision 
making of the team on successive and adjacent transitions, in spite of passive failures. 

Lemma 6: Consider a deterministic task automaton As = {Q,qo, E = EiUE2,5) and assume 
that As is decomposable with respect to parallel composition and natural projections Pj, i = 1, 2, 
and furthermore assume that Ei = {ai^r}, t' ^ {1, fail in Ei, i E {1,2}. If Ei, i E {1,2} 

are passive, then Vi E {1,2} 

1) El n ^2 = 0; 

2) EuE2EE^nE2; 

3) Si\S2 = {Ei\E2) U E2 and S2\Si = (^sV^i) U Ei. 

Now, following lemma represents the conditions for maintaining the capability of a team of 
two cooperative agents for global decision making on the orders and selections of transitions in 
the global task automaton, after passive event failures. 

Lemma 7: Consider a deterministic task automaton As = {Q,qo,E = EiU E2,5). Assume 
that As is decomposable, i.e.. As = Pi{As)\\P2iAs), and furthermore, assume that Ei = {aj,,} 
fail in Ei, r E {1, n^}, and Ei are passive for i E {I, 2}. Then, the following two expressions 
are equivalent: 

. (EFl and EF2): V(ei, 62) E {iE,\E2, ^1), (^aV^i, ^2), (^1, ^2)}, q E Q, s E E*: 

[6{q, ei)! A 6{q, 62)!] [S{q, 6162)! A 6{q, 6261)!] (1) 
5{q,eie2s)\ ^ 5{q,e2eis)\ (2) 



. (DCls and DC2s): Vci G Si\S2,e2 G S2\Si,g G Q, s G E*: 

[(5(g, ei)! A 5{q, 62)!] ^ dCa)! A 6261)!] 
5(g,eie2s)! <^ 62615)!. 

Proof: See the proof in the Appendix. ■ 
Remark 6: EFl and _E'F2 represent the decomposability conditions DCl and DC2 after 
failure, i.e., for the refined local event sets Si and S2. They say that after the failure, any 
decision on the switch or the order between two events that cannot be accomplished by at least 
one of the agents ( neither {61,62} C Si, nor {61,62} C S2), then the decision should not be 
important (both orders should be legal). This is a good insight on validity of DCl and DC2 
after failure of passive events as it is illustrated in Figure [H based on the properties in Lemma 
1 

FromLemma[6l (Si\S2) x (S2\Si) is the union of four spaces: {Ei\E2)x{E2\Ei); {Ei\E2)x 
(El); {E2) X {E2\Ei), and (Ei) x {E2) (see Figure [I](a) - (d)). Note that due to Lemma [6l 

Eir\E2 = 0. 

Now, according to Lemma [8] in the Appendix, for any pair of events from {Ei\E2) x (E2\Ei) 
(shown in Figure [T]— (a)), ([T]) and ([2]) are true as As is decomposable, before the failure. 
Moreover, ^ and ^ are also true for the pair of events from other three spaces of (Si\S2) x 
(S2\Si), due to EFl and EF2 as it is illustrated as follows. 

• Figure [U— (b) shows {Ei\E2) x (Ei): any pair of events from this space contains in Ei, 
before the failure, but, contains in neither of Ei and E2 after the failure; 

• Figure [U— (c) depicts {E2) x (E2\Ei): any pair of events from this space contains in E2, 
before the failure, but, belongs to neither of Ei and E2 after the failure; 

• Figure [T]— (d) illustrates (Ei) x (-E'2): any pair of events from this space contains in both 
El and E2, before the failure, but, contains in none of them after the failure. 

Therefore, since after the failure, for any pair of events from these three spaces, no agent can 
be responsible for decision making on switch/order between them (no local event set contains 
both events), then such decisions should not be important as it stated in EFl and EF2. 

Another implication of this result is that when the system is comprised of only two agents 
and one of those agent is failed, while all of its events are passive, then the task automaton 




Fig. 1. Illustration of (Ei\E2) x (E2\Ei) = [{Ei\E2lx {E2\Ei)] U [{Ei\E2) x {Ei)]u[{E2) x {E2\Ei)] U [{Ei) x {E2)], 
(a): {Ei\E2) x (SaX-Ei); (b): (^A^a) x (^1); (c): (£2) x {E2\Ei), and (d): ((£1) x (^2)). 

remains decomposable as 

Corollary 1: Consider a deterministic task automaton As = (Q, qo, E = EiU E2, 5). Assume 

that As is decomposable, i.e., As = Pi{As)\\Pi{As). Assume furthermore that Ei entirely fails, 

2 

i.e.. El = El. Then, As = \\ F{Pi {As)) if and only if Ei is passive. 

i=l 

Proof: Sufficiency: Since Ei = Ei, from definition of passivity. Lemma [6] and E = E1UE2, 
it follows that Ei C E2 = E and Ei\E2 = E2 = and hence, EFl and EF2 hold true, due 
to Lemma m Moreover, since Si = Ei\Ei = 0, then Si\S2 = Si = 0, that makes EES 
always true. Finally, by Lemma [H F(Pi(As)) with Si = merges into its initial state, with 
no nondeterminism, and F(P2{As)) with S2 = is bisimilar to As which is deterministic, 
therefore, EFA is satisfies, as well. This implies that when Ei = Ei, the passivity of Ei leads 
to As = F{Pi{As))\\F{P2{As)). 

Necessity: The necessity is proven by contradiction. Suppose that Ei = Ei and As = 
F(Pi(As))\\F{P2{As)), but 3e E El, e is not passive in Ei. Then, from Lemma [3l it is follows 
that transitions on e cannot evolve in F(Pi(As))\\F(P2{As)), due to synchronization constraint 
in parallel composition, and hence. As ^ F(Pi{As))\\F(P2{As)) which is a contradiction. ■ 



VII. Conclusions 

This paper proposed a formal method to investigate whether a decentralized bisimilarity 
control design remains valid, under failure of some events in multi-agent systems. This work 
is a continuation of [[U, |l2l, in which necessary and sufficient condition was given for task 
automaton decomposition and the satisfaction of global specification was guaranteed up on 
satisfaction of local specifications. This work then defines a new notion of passivity under 
which it is possible to transform the decentralized cooperative control problem under event 
failures into the standard decompos ability problem in [[T]|, [|2l and identifies necessary and 
sufficient conditions to still guarantee the supervised concurrent plant to satisfy the global 
specification, in spite of event failures. The passivity of the failed events is turned to be a 
necessary condition for the task automaton to remain decomposable, and it is found to reflect the 
failure of redundant communication links. It is then proven that a decomposable task automaton 
remains decomposable and satisfied after some passive failures if and only if after the failures, 
the team of agents maintain the capability on collective decision making on the orders and 
selections of transitions and preserve the collective perceiving of the task such that the parallel 
composition of local task automata neither allow an illegal behavior (a string that is not in the 
global task automaton), nor disallow a legal behavior ( a string from the global task automaton). 

This result is of practical importance as it provides a sense of fault-tolerance to the task 
decomposition and top-down cooperative control of multi-agent systems, under event failures. 

VIII. APPENDIX 

A. Examples for Remark Ul 

Example 7: Following example shows an automaton that does not simulate its natural projec- 
tions, yet is decomposable. Consider an automaton As'. ^ • " . « - « ^ . « with 




the event set E = E1UE2 and local event sets Ei = {a, b, ei}, E2 = {a, b, 62, 64}. In this example. 
As is decomposable, since it bisimulates the parallel composition of Pi{As): • j!— ^ ^ • and 

a 

P2{As): • » » • , although Pi{As) -A As (since the string b appears in 

a 

Pi{As), but not in As), and P2{As) -/< As (since the string ab appears in P2(^s), but not 
in As). 



As mentioned in Remark [H another emergent property is that natural projection of local task 

n 

automata may lead to nondeterminism of Pi {As), leading to nondeterminism of || P., {As). 

1=1 

n 

The decomposability of As again concerns with bisimilarity of As and || Pi {As), that may 

i=l 

happen even if there exist some nondeterministic Pi{As), as it is elaborated in the following 
example. 

Example 8: Consider the automaton As: ^ • '^^ ^ • " ^ • ^ • 



with E = EiLiE2, Ei = {a, ei}, E2 = {a, 62}. As is decomposable, as the parallel composition 
of Pi{As): . . ^ . ^ . and P2{As): 



62 



« is bisimilar to As- Here, P2{As) is not deterministic, but it bisimulates 



62 



the deterministic automaton P2{As)': ^ • " . 

Therefore, a deterministic task automaton As may have nondeterministic natural projections, 

n 

and consequently, its || Pj {As) may become nondeterministic. As a result, determinism of As 

i=l 

does not reduce its decomposability in the sense of bisimulation into its decomposability in the 
sense of language equivalence (synthesis modulo language equivalence [9]), due to possibility 

n 

of nondeterminism of || Pi {As), as it is further illustrated in the following example. 

i=l 

Example 9: Consider the task automaton ^45: 



61 



with El = {a, b, ei}, E2 = {a, b}, leading to Pi{As): 



P2{As): . . ^ . ^ . , and 

Pi{As)\\P2{As): ^ • ; • ° ; . ; . which is not bisimilar to ^5. In this ex- 



ample As is deterministic, L{ \\ Pi {As)) = L{As)', however, || Pi {As) ^ As- 

1=1 1=1 
This example also shows that determinism of As also does not reduce its decomposability in the 

n 

sense of bisimulation into the separability of its language ( ifTOl ). as || Pi {As) ^ As, although 

1=1 

n 

As is deterministic and its language is separable {L{As) = \ L{Pi {As))). 

i=l 
n 

Therefore, in general for a deterministic task automaton || Pi {As) = As is not reduced into 



i=l 



L{As) = I L{Pi (As)). But, under the determinism of bisimulation quotient of all local task 

i=l 

automata (DCA), bisimulation-based decompos ability is reduced to language-based decompos- 
ability and the top-down design based on bisimulation, is reduced to language-based top-down 
design, such that the entire closed loop system (the parallel composition of local closed loop 
systems) bisimulates (or equivalently is language equivalent to) the global task automaton. In 
case of DCA, the other three conditions (DC1-DC3) can be used to characterize the language 
separability. 

B. Proof for Lemma \3\ 

Firstly, in order to allow the global transitions, the failed event a in Ei has to be received 
from other agents not from its own sensors and actuator readings, otherwise, no local transitions 

n 

on a evolve in either of F{Ai) or || F{Ai) (since other agents receive a from Ai). Therefore, 

i=l 

the failed events have to necessarily be shared events (/oc(a) > 1), and that after the failure 
of a in Ai, a is excluded from E^, i.e., Sj = Ei\a, as a is not received to Ai from other 
agents. Moreover, due to Definition Ul exclusion of a from Ei allows global transitions on a 
with no synchronization restriction from F(Ai). Finally, the transitions on failed event a has 
to be replaced with e-moves, in order to allow transitions after a in Ai, i.e., Vxi,X2 G Qi, 
6i{xi,a) = X2, then 5[{[xi]s^,a) = [x2]s,, [a;i]s. = [x2h, and F{Ai) = PE,\aiAi) (otherwise a 
transition of 5[ {S[ (x, a), e) will be disabled due to stopping of execution of 5[ (x, a)). It should 
be noted that, if there are no traditions after 5i{x, a) (i.e., Ve G Ei'. -^Si{5i{x, a), e)!, then stoping 
of Si{x,a) is identical to replacing this transition with an e-move. These collectively mean that 

n 

preserving of global transitions in || F{Ai) requires then local failures to be passive. 

i=l 

C. Proof for Lemma E] 

Passivity of all Ei, i G {1, . . . ,n}, due to definition of passivity, leads to Sj = Ei\Ei C Ei, 
and hence, the expression [3Ei G {Ei, ■ ■ ■ , En}, {ei, 62} C Ei] in the antecedent of DCl and 
DC2 leads to [3Sj G {Si, ■ ■ ■ , S„}, {ei, 62} C Sj], replacing Ei with Sj = Ei\Ei. 

D. Proof for Lemma \5\ 

Any nondeterminism in F{Pi{As)) appears either due to nondeterminism from Pi{As) or 
newly formed nondeterminism because of replacing of passive events by e. 



In the first case, from decomposability of As, DC A says that for any x, Xi, X2 E Qi, e E Ei\Ei, 
t e E*, xi ^ X2, 5i(x,e) = xi, 5i(x,e) = x^- ^ bi{x2,t)\, i.e., 5f([a;]s,,e) = 

5f(Ns„e) = 5f([xi]s„PE.(t))! ^ 5f (Ne.Pe.W)!, which is Z}C4 for F{PlAs)\ 

with refined local event set Sj. 

For the second case, any newly appeared nondeterminism is induced by transitions from the 
original local task automat, in the following form. 3i G {1, . . . , n}, x, Xi, X2 G Qi, ti G -E*, 
e G t G -E*, xi 7^ X2, (5i(x,)f:ie) = Xi, 5i(x,e) = X2 then [x]e, = [^f (Ns,, ^i)]s,, 

and hence, EF4 becomes (5f([x]s,,e) = [xi]s,, (5f([x]E^,e) = [x2]Er '^i^(ki]s,,Ps.(t))! <^ 

([a;2]si,PSi(^))!, which is again equivalent to DC4 for F{Pi{Asy). 

E. Proof for Lemma |^ 

The first item is proven based on the fact that if 3e G £'1 n^2, then snde{l) = %/\snde{2) = 
which is impossible, due to Remark [21 that requires sende{i) = A rece{i) ^ for an event e 
to be passive in Ei G {Ei, E2}, in two agent case. 

The second item, comes from passivity of Ei and E2 that implies that Ve G -Ej, i = 1,2, 
snde{i) = A rcve{i) 7^ 0, and hence /oc(e) > 1 which means e G -Ej, j G {l,2}\{'i}, i.e., 
e G -El n ^2. 

For the last item, from the second item and _Ein-E2 = we respectively have Ei, E2 C EinE2 
and El (1 E2, E2 ^ E[ (In this proof, prime operation stands for the set complements, where 
the El U E2 is considered as the universal set). Consequently, Si\S2 = {Ei\Ei)\{E2\E2) = 

{El n E[) n {E2 n E'^)' = {Ei n E[) n {E'^ u E2) = [{Ei n E[) n E^] u [(^i n E[) n ^2] = 

[El n (i^i U E2)'] U [(El n E2) n E[] = {Ei n E'^) U (E2 n = {Ei\E2) U E2. Similarly, 

S2\Si = (E2\El)U^i. 

E Proof for Lemma [71 

To prove this lemma, firstly, the decomposability result for two agents is recalled as 
Lemma 8: (Theorem 1 in [1])) A deterministic automaton As = {Q,qo,E = EiU E2,5) is 
decomposable with respect to parallel composition and natural projections Pj, i = 1,2, such 
that As = Pi{As)\\P2{As) if and only if it satisfies the following decomposability conditions: 

Vei G Ei\E2, 62 G E2\Ei, qeQ,seE*, 

. DCl: [6{q,ei)\ A 6{q, 62)1]^ [6{q, 6162)1 A 6{q, 6261)1]; 



• DC2: 6{q,eie2s)\ 4^ 6{q,e2eis)\; 

• DC3: Vs, s' E E*, sharing the same first appearing common event a E Ei D E2, s 7^ s', 
qEQ: 5{q, s)\ A 5{q, s')\ 5{q,pi{s)\p2{s'))\ A 5{q,pi{s')\p2{s))\, and 

• DCA: Vz E {1,2}, x,xi,X2 E Qi, xi ^ X2, e E Ei, t E E*, 6i{x,e) = xi, 6i{x,e) = X2: 
6i{xi,t)\ ^ 6i{x2,t)\. 

Now, in order to prove the equivalence of two cases in lemma |7l one needs to prove that the set 

{El X Ei\E2, E2 X E2\Ei, El x E2} in EFl and EF2 is equal to the set {(Si\S2) x (S2\Si)} 
in -DCls and DCls (decomposability conditions DCl and DC2 with respect to Si and S2). 

From lemmail Ci E Si\S2, 62 E S2\Si is equivalent to Ci E {Ei\E2)UE2, 62 E {E2\Ei)UEi 
which means that ei E Ei\E2 y ei E E2 and 62 E E2\Ei V 62 E Ei, leading to four possible 
cases: (ei E Ei\E2 A 62 E ^2\^i), (ei E Ei\E2 A 62 G Ei), (d G i^2 A 62 G ^2\^i) or 
(ei G ^2 A 62 G ^1). 

Now, Lemma |7] is proven as follows. For the first case, since decomposability of As implies 
DCl and DC2, then, Vci G ^i\^2, 62 G ^2\^i, q eQ, s E E*: ^ and (j!]) hold true. For the 
second, third and fourth cases, i.e., when (ci G Ei\E2 A 62 G -Ei), (ei E E2 A 62 E E2\Ei) or 
(ei G £'2 A 62 G -El), then ([Tj) and dU are guarantee by EFl and £'F2. Therefore, provided the 
decomposability of As, EFl and EF2, ^ and ([2]) become true for all ei G Si\S2, 62 G S2\Si. 
This means that EFl and EF2 are respectively equivalent to DCl and DC2 after failures (for 
El and S2). 
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